The growing number of smart devices that interoperates with smartphones could leave text messages, calendar entries, biometric data, and other sensitive user information wide open to hackers, security researchers warn.
That's because most smart watches rely on a six-digit PIN to secure information traveling to and from connected Android smartphones. With only one million possible keys securing the Bluetooth connection between the handset and the smart device, the PINs are susceptible to brute-force attacks, in which a nearby hacker attempts every possible combination until finding the right one.
Researchers from security firm Bitdefender mounted a proof-of-concept hack against a Samsung Gear Live smartwatch that was paired with a Google Nexus 4 running Android L Preview. Using readily available hacking tools, they found that the PIN obfuscating the Bluetooth connection between the two devices was easily brute forced. From that point on, they were able to monitor the information passing between the watch and the phone.
During the holiday season, shoppers scour the internet to find the best deals for the perfect gifts. Ordinary consumers aren’t the only ones looking for bargains at this time of year. A host of cybercriminals are looking to shop at other people’s expense and use underground marketplaces to buy and sell illegal goods and services. Stolen data, compromised online accounts, custom malware, attack services and infrastructure, fraudulent vouchers, and much more can be bought if you know where to go.
Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them.
Considering all of the data breaches and point-of-sale (POS) malware incidents that occurred in the last 12 months, you may think that underground markets are flooded with stolen data, causing prices to drop. Interestingly enough, this does not seem to be the case for all illegal goods on these marketplaces.
Shopping in the underground
While some illegal marketplaces are viewable on the public internet, news coverage around underground sites has increased this year, forcing many scammers to move to darker parts of the internet. For example, some forums are now hosted on the anonymous Tor network as hidden services. Other markets are only accessible with an invitation and require a buy-in, which could involve money or goods—like 100 freshly stolen credit cards. Other markets are run on private chat rooms and have rigid vetting procedures for new users. In these closed circles, prices are usually much lower and the traded amount of goods or services is higher.
Stolen data for sale
Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between US$4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10. The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly.
Credit card information, on the other hand, has not decreased in value in recent years. In 2007, this information was advertised at between $0.40 and $20 per piece. How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card’s metadata provided, volume discounts, and how recently the card data was stolen. In 2008, the average asking price for credit card data was slightly higher--$0.06 to $30--and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card information range between $0.50 and $20. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cybercriminals trade in bulk volumes.
Of course, we have no visibility into transactions and do not know how many buyers actually pay the upper end of the price range. The quality of the stolen goods is also questionable, as some sellers try to sell old data or resell the same data multiple times. This may also explain why there has been a boom in additional service offerings that verify that the seller’s accounts are still active or that a credit card has not yet been blocked. Most underground marketplaces even provide a guarantee for the data’s freshness and replace blocked credit cards within 15 minutes of purchase. As expected, where there is demand, someone will step in and address the gap in the market.
Attack services for hire
Crimeware-as-a-service has also become popular on underground marketplaces. Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams. This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.
A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and distributed denial-of-service (DDoS) attacks can be ordered from $10 to $1,000 per day. Any product or service directly linked to monetary profit for the buyer retains a solid market price.
Cashing out with fraudulent vouchers and tickets
Cybercriminals are always coming up with new strategies to cash out their profits. Vouchers and online gift cards are currently in vogue, as they can easily be traded or sold online. Attackers pay for them using stolen credit cards or generate them from hijacked online retailer accounts. They then sell the vouchers and online gift cards for 50 to 65 percent of the nominal value. Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually.
Older methods such as packet re-sending agents have declined in popularity. This method involved buying expensive goods with stolen credit cards and having them shipped to an uninvolved volunteer, who then reships the goods to the attacker’s anonymous PO box. This is getting harder to do, as many shops will only ship to the registered home address of the credit card. This also led to some attackers picking up the items in a physical store nearby, rather than shipping them somewhere first.
The expansive underground marketplace
These examples aren’t the only goods and services on offer on underground marketplaces. Also for sale are:
The booming underground marketplace is another reason it’s important to protect your data and identity. Otherwise, you may find your personal information in the shopping basket of a cybercriminal during this holiday season.
Symantec recommends the following basic security guidelines:
Charge Anywhere, a company that routes payment transactions between merchants and payment card processors, said that malicious software planted on its network may have accessed unencrypted sensitive cardholder data for almost five years.
In a statement, the company warned that some of the card data it sends or receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions. Details including names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from August 17 through September 24, although it's possible transactions dating back to November 5, 2009 may also have been accessed, the statement said. The disclosure came after company officials hired an unidentified security firm to investigate the breach.
"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the release stated. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."
The security company investigating the attack against Sony Pictures Entertainment has reportedly penned a letter that seemingly holds the entertainment firm blameless for the breach of its systems—a move that has opened up the investigating firm to criticism by security professionals.
The letter—to SPE’s CEO Michael Lynton from Kevin Mandia, the head of FireEye’s Mandiant, the incident response service the company hired to investigate the attack and restore its network—calls the attack “unprecedented in nature.” Mandia states that the attack would not have been detected by antivirus programs, and the attackers used non-standard strategies to cause damage to the company.
“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public,” Mandia states in the letter, which was leaked to media outlets. “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
With mobile devices an essential part of our lives and privacy, we must protect that privacy against a form of mobile “spyware” that is openly sold and distributed and that threatens our privacy by secretly monitoring all of our activities on smartphones.
In this context, spyware does not refer to Trojan malware that poses as legitimate games and tools while secretly stealing our private information. This type of spyware is usually called spy or monitoring apps to watch over our spouses, kids, or employees. Buyers of this kind of spyware will install it on their subjects’ mobile devices to monitor their activities and location. Most of these products claim that their software will remain undetected by those who are monitored. Yet how can we, or the developers, justify installing spyware without users’ knowledge and monitor all their private activities on smartphones?
In September, we read reports that a seller of the spyware StealthGenie was indicted in the United States. The seller was criticized for supplying an app that could threaten a victim’s life and could be used, for example, by stalkers and domestic abusers. But similar kinds of spyware are still being distributed in markets and will continue to threaten our privacy.
Most spyware has the following features to remotely monitor and collect data about the target user’s private actions:
Worse still, for devices that are “rooted” for Android or “jailbroken” for iOS, some spyware claims that they can monitor contacts and conversation data of SMS and messaging apps such as WhatsApp, Facebook, LINE, Skype, Viber, Kik, and so on.
It is rare to find these kinds of spyware apps on official markets for mobile apps. Some apps with similar functionality for antitheft or parental control are offered on official stores, and these can be used as spyware depending on circumstances. But spyware apps whose main use is to invade the target’s privacy are not published on official sites, probably because doing so would violate the official app markets’ policies.
Nonetheless, McAfee Labs has recently confirmed that spyware vendors are cleverly offering their products for Android devices via the official store. These vendors or their affiliates publish many free apps that download the spyware products or lead users to their product websites. Those who want to find spyware can get such products directly from the developers sites, but it seems that spyware vendors are seeking more sales opportunities by using popular app stores.
Some of these apps simply redirect users to the sales site of the spyware product; others directly download the spyware and prompt users to install and register. In this manner, spyware vendors let users download and install their spyware products from external sites by publishing apparently harmless landing apps on the official store. Spyware installed from external sites are not listed in the My Apps list, so it is less likely that a target user will notice the installation if the initial landing apps were uninstalled by the monitoring person to hide their traces.
Some of the installed spyware remove their application icons from home screen and app list to not be noticed by the target. And they start monitoring the target’s activities and sending the collected information to a remote server in the background. Other spyware also requires the DeviceAdmin privilege just after launch to make it difficult for victims to uninstall the app even if they notice suspicious behavior.
Because much spyware is sold outside of the official store, they will not usually be installed unless the user enables installation from unknown sources. And even if these apps are installed, McAfee Mobile Security and other security software will detect them and alert users. However, although these countermeasures are effective when the device user accidentally installs malware, these defenses might not work as expected when another person with access to the device wants to monitor the user secretly and installs the app. The monitoring person could change the device’s security settings and even disable detection by security software.
Thus in addition to the usual defenses against malware, we should also observe the following:
There might be cases in which you want to use this kind of spyware as a monitoring tool to really protect someone you care about. First, get his or her consent. And you should be very careful about some points. The careless use of spyware can expose your loved one to danger. The information obtained through spyware must be accessible only to you and/or the monitored person; it is dangerous if you allow the spyware vendor to access the information. If the vendor is malicious, then all the privacy of your loved could be disclosed. Any information collected should be encrypted by a password that only you know, and only you should be able to decrypt it. Otherwise, even a benign spyware vendor could lose information due to a leak or security flaw. Much of the spyware we have seen transfers privacy and account authentication data as plaintext. If the monitored person were to use the phone on an unguarded public LAN with no appropriate security settings, all the private information could be snooped by a malicious observer.
Many of these spyware apps claim that their purpose is to protect spouses and kids, or to prevent employees inappropriate actions. However, if these apps are really intended for that purpose, then it would be reasonable to install them on the targets’ devices with their explicit approval and explain that their activities can be remotely monitored. Installing these apps publicly is a more effective way to prevent any unauthorized actions. Installing spyware secretly only opens the door to privacy invasion and potential cybercrime.
The post Spyware Vendors Find New Ways to Deliver Mobile Apps appeared first on McAfee.